kedacore / external-scaler-azure-cosmos-db Goto Github PK
View Code? Open in Web Editor NEWKEDA External Scaler for Azure Cosmos DB
License: Apache License 2.0
external-scaler-azure-cosmos-db's Issues
Provide GitHub Action to publish official image on GHCR
Provide GitHub Action to publish official image on GHCR based on new Git tag.
CVE-2022-1941 (High) detected in google.protobuf.3.21.5.nupkg - autoclosed
CVE-2022-1941 - High Severity Vulnerability
Vulnerable Library - google.protobuf.3.21.5.nupkg
C# runtime library for Protocol Buffers - Google's data interchange format.
Library home page: https://api.nuget.org/packages/google.protobuf.3.21.5.nupkg
Path to dependency file: /src/Scaler.Tests/Keda.CosmosDb.Scaler.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/google.protobuf/3.21.5/google.protobuf.3.21.5.nupkg
Dependency Hierarchy:
- ❌ google.protobuf.3.21.5.nupkg (Vulnerable Library)
Found in HEAD commit: 208c73830a79844b58ff4ae9ee5915696f9d9299
Found in base branch: main
Vulnerability Details
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
Publish Date: 2022-09-22
URL: CVE-2022-1941
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-8gq9-2x98-w8hf
Release Date: 2022-09-22
Fix Resolution: protobuf-cpp - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6
Step up your Open Source Security Game with Mend here
[Feature Request] Scaling on custom query
Any plans to support scaling based on custom query on Cosmosdb like it happens in MSSQL or Mongodb scalers?
Estimator shows estimated lag but processor is not processing
It seems that scaling metric is not precise enough.
Scaler is reporting items to process:
Lease [0] owned by host Instance-cosmosdb-order-processor-585d7b9bc5-gnb88 reports 37 as estimated lag.
Lease [1] owned by host Instance-cosmosdb-order-processor-585d7b9bc5-5jdb2 reports 38 as estimated lag.
There are 2 partitions with estimated lag.
But processor is not getting any items:
k logs cosmosdb-order-processor-585d7b9bc5-gnb88 -n cosmosdb-order-processor
2024-06-13 01:39:00 info: Keda.CosmosDb.Scaler.Demo.OrderProcessor.Worker[0]
Started change feed processor instance Instance-cosmosdb-order-processor-585d7b9bc5-gnb88
2024-06-13 01:39:00 info: Microsoft.Hosting.Lifetime[0]
Application started. Press Ctrl+C to shut down.
2024-06-13 01:39:00 info: Microsoft.Hosting.Lifetime[0]
Hosting environment: Production
2024-06-13 01:39:00 info: Microsoft.Hosting.Lifetime[0]
Content root path: /app
I verified both are connected to the same DB using a test app that used same client for estimator and feed processor.
Expected Behavior
Pods are scaled to 0 when there's nothing to process.
Pods are processing items when scaler reports estimated changes.
Actual Behavior
Scaler reports changes but processor is not doing anything.
Steps to Reproduce the Problem
- Run Demo App on a multi-partition container
- Generate some data (may need to do it few times)
- Observe the pods
Specifications
- KEDA Version: 2.11.2
- Platform & Version: AKS
- Kubernetes Version: 1.29.4
- Scaler(s): Running workload identity version of the scaler from #68
CVE-2018-8292 (Medium) detected in system.net.http.4.3.0.nupkg - autoclosed
CVE-2018-8292 - Medium Severity Vulnerability
Vulnerable Library - system.net.http.4.3.0.nupkg
Provides a programming interface for modern HTTP applications, including HTTP client components that allow applications to consume web services over HTTP and HTTP components that can be used by both clients and servers for parsing HTTP headers.
Library home page: https://api.nuget.org/packages/system.net.http.4.3.0.nupkg
Path to dependency file: /src/Scaler.Tests/Keda.CosmosDb.Scaler.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.0/system.net.http.4.3.0.nupkg
Dependency Hierarchy:
- xunit.2.5.0.nupkg (Root Library)
- xunit.assert.2.5.0.nupkg
- netstandard.library.1.6.1.nupkg
- ❌ system.net.http.4.3.0.nupkg (Vulnerable Library)
- netstandard.library.1.6.1.nupkg
- xunit.assert.2.5.0.nupkg
Found in HEAD commit: 208c73830a79844b58ff4ae9ee5915696f9d9299
Found in base branch: main
Vulnerability Details
An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0.
Publish Date: 2018-10-10
URL: CVE-2018-8292
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2018-10-10
Fix Resolution: System.Net.Http - 4.3.4;Microsoft.PowerShell.Commands.Utility - 6.1.0-rc.1
Step up your Open Source Security Game with Mend here
Dependency Dashboard
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
Awaiting Schedule
These updates are awaiting their schedule. Click on a checkbox to get an update now.
- chore(deps): update dependency microsoft.net.test.sdk to v17.11.0
Detected dependencies
dockerfile
src/Scaler.Demo/OrderGenerator/Dockerfile
mcr.microsoft.com/dotnet/sdk 6.0mcr.microsoft.com/dotnet/runtime 6.0src/Scaler.Demo/OrderProcessor/Dockerfile
mcr.microsoft.com/dotnet/sdk 6.0mcr.microsoft.com/dotnet/runtime 6.0src/Scaler/Dockerfile
mcr.microsoft.com/dotnet/sdk 6.0mcr.microsoft.com/dotnet/aspnet 6.0
github-actions
.github/workflows/main-build.yml
actions/checkout v4actions/setup-dotnet v4docker/build-push-action v6docker/build-push-action v6docker/login-action v3docker/metadata-action v5docker/build-push-action v6.github/workflows/pr-build.yml
actions/checkout v4actions/setup-dotnet v4docker/build-push-action v6docker/build-push-action v6docker/build-push-action v6.github/workflows/release-build.yml
actions/checkout v4actions/setup-dotnet v4docker/build-push-action v6docker/build-push-action v6docker/login-action v3docker/metadata-action v5docker/build-push-action v6
nuget
src/Scaler.Demo/OrderGenerator/Keda.CosmosDb.Scaler.Demo.OrderGenerator.csproj
Microsoft.Extensions.Hosting 6.0.1Microsoft.Azure.Cosmos 3.42.0Bogus 34.0.2src/Scaler.Demo/OrderProcessor/Keda.CosmosDb.Scaler.Demo.OrderProcessor.csproj
Microsoft.Extensions.Logging 6.0.0Microsoft.Extensions.Hosting 6.0.1Microsoft.Azure.Cosmos 3.42.0src/Scaler.Demo/Shared/Keda.CosmosDb.Scaler.Demo.Shared.csproj
NewtonSoft.Json 13.0.3Microsoft.Extensions.Hosting 6.0.1Microsoft.Azure.Cosmos 3.42.0src/Scaler.Tests/Keda.CosmosDb.Scaler.Tests.csproj
coverlet.collector 3.2.0xunit.runner.visualstudio 2.8.2xunit 2.9.0Moq 4.20.70Microsoft.NET.Test.Sdk 17.10.0src/Scaler/Keda.CosmosDb.Scaler.csproj
NewtonSoft.Json 13.0.3Microsoft.Extensions.Logging 6.0.0Microsoft.Azure.Cosmos 3.42.0Grpc.AspNetCore 2.65.0
- Check this box to trigger a request for Renovate to run again on this repository
Provide README
Provide README that gives more information about this external scaler and what to expect
CVE-2017-0256 (Medium) detected in system.net.http.4.3.0.nupkg - autoclosed
CVE-2017-0256 - Medium Severity Vulnerability
Vulnerable Library - system.net.http.4.3.0.nupkg
Provides a programming interface for modern HTTP applications, including HTTP client components that...
Library home page: https://api.nuget.org/packages/system.net.http.4.3.0.nupkg
Path to dependency file: /src/Scaler.Tests/Keda.CosmosDb.Scaler.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.0/system.net.http.4.3.0.nupkg
Dependency Hierarchy:
- xunit.2.4.2.nupkg (Root Library)
- xunit.assert.2.4.2.nupkg
- netstandard.library.1.6.1.nupkg
- ❌ system.net.http.4.3.0.nupkg (Vulnerable Library)
- netstandard.library.1.6.1.nupkg
- xunit.assert.2.4.2.nupkg
Found in HEAD commit: 208c73830a79844b58ff4ae9ee5915696f9d9299
Found in base branch: main
Vulnerability Details
A spoofing vulnerability exists when the ASP.NET Core fails to properly sanitize web requests.
Publish Date: 2017-05-12
URL: CVE-2017-0256
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-0256
Release Date: 2017-05-12
Fix Resolution: Microsoft.AspNetCore.Mvc.ApiExplorer - 1.1.3,1.0.4;Microsoft.AspNetCore.Mvc.Abstractions - 1.1.3,1.0.4;Microsoft.AspNetCore.Mvc.Core - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.1.3,1.0.4;System.Net.Http - 4.1.2,4.3.2;Microsoft.AspNetCore.Mvc.Razor - 1.1.3,1.0.4;System.Net.Http.WinHttpHandler - 4.0.2,4.3.0-preview1-24530-04;System.Net.Security - 4.3.0-preview1-24530-04,4.0.1;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.1.3,1.0.4;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4,1.1.3;System.Text.Encodings.Web - 4.3.0-preview1-24530-04,4.0.1;Microsoft.AspNetCore.Mvc.Razor.Host - 1.1.3,1.0.4;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4,1.1.3;System.Net.WebSockets.Client - 4.3.0-preview1-24530-04,4.0.1;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.1.3,1.0.4;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4,1.1.3
Step up your Open Source Security Game with Mend here
Provide CI
Provide CI with GitHub Actions that has two jobs:
- Build - Builds the solution, runs unit tests
- Docker - Build the container image and push to GHCR (master only with
:experimentaltag)
Automatically keep dependencies up-to-date with Renovate
Automatically keep dependencies up-to-date with Renovate to ensure we are patching security vulnerabilities and bugs.
Provide release process guide
Provide release process guide to include the steps required to ship a new version.
It should be fairly similar to https://github.com/kedacore/keda/blob/main/RELEASE-PROCESS.MD and include a note for #7
CVE-2019-0820 (High) detected in system.text.regularexpressions.4.3.0.nupkg - autoclosed
CVE-2019-0820 - High Severity Vulnerability
Vulnerable Library - system.text.regularexpressions.4.3.0.nupkg
Provides the System.Text.RegularExpressions.Regex class, an implementation of a regular expression e...
Library home page: https://api.nuget.org/packages/system.text.regularexpressions.4.3.0.nupkg
Path to dependency file: /src/Scaler.Tests/Keda.CosmosDb.Scaler.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg
Dependency Hierarchy:
- xunit.2.5.0.nupkg (Root Library)
- xunit.assert.2.5.0.nupkg
- netstandard.library.1.6.1.nupkg
- system.xml.xdocument.4.3.0.nupkg
- system.xml.readerwriter.4.3.0.nupkg
- ❌ system.text.regularexpressions.4.3.0.nupkg (Vulnerable Library)
- system.xml.readerwriter.4.3.0.nupkg
- system.xml.xdocument.4.3.0.nupkg
- netstandard.library.1.6.1.nupkg
- xunit.assert.2.5.0.nupkg
Found in HEAD commit: 208c73830a79844b58ff4ae9ee5915696f9d9299
Found in base branch: main
Vulnerability Details
A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981.
Mend Note: After conducting further research, Mend has determined that CVE-2019-0820 only affects environments with versions 4.3.0 and 4.3.1 only on netcore50 environment of system.text.regularexpressions.nupkg.
Publish Date: 2019-05-16
URL: CVE-2019-0820
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-cmhx-cq75-c4mj
Release Date: 2019-05-16
Fix Resolution: System.Text.RegularExpressions - 4.3.1
Step up your Open Source Security Game with Mend here
Change image name to ghcr.io/kedacore/keda-external-scaler-azure-cosmos-db
Change image name to ghcr.io/kedacore/keda-external-scaler-azure-cosmos-db to emphasize that it's an external scaler.
Follow-up for #10
CVE-2017-0248 (High) detected in system.net.http.4.3.0.nupkg - autoclosed
CVE-2017-0248 - High Severity Vulnerability
Vulnerable Library - system.net.http.4.3.0.nupkg
Provides a programming interface for modern HTTP applications, including HTTP client components that...
Library home page: https://api.nuget.org/packages/system.net.http.4.3.0.nupkg
Path to dependency file: /src/Scaler.Tests/Keda.CosmosDb.Scaler.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.0/system.net.http.4.3.0.nupkg
Dependency Hierarchy:
- xunit.2.4.2.nupkg (Root Library)
- xunit.assert.2.4.2.nupkg
- netstandard.library.1.6.1.nupkg
- ❌ system.net.http.4.3.0.nupkg (Vulnerable Library)
- netstandard.library.1.6.1.nupkg
- xunit.assert.2.4.2.nupkg
Found in HEAD commit: 208c73830a79844b58ff4ae9ee5915696f9d9299
Found in base branch: main
Vulnerability Details
Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to bypass Enhanced Security Usage taggings when they present a certificate that is invalid for a specific use, aka ".NET Security Feature Bypass Vulnerability."
Publish Date: 2017-05-12
URL: CVE-2017-0248
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2017-05-12
Fix Resolution: System.Text.Encodings.Web - 4.0.1, 4.3.1;System.Net.Http - 4.1.2, 4.3.2;System.Net.Http.WinHttpHandler - 4.0.2, 4.3.1;System.Net.Security - 4.0.1, 4.3.1;System.Net.WebSockets.Client - 4.0.1, 4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4, 1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4, 1.1.3
Step up your Open Source Security Game with Mend here
List Cosmos DB external scaler on Artifact Hub
Artifact Hub now supports listing KEDA scalers and it would be nice to list Cosmos DB external scaler on Artifact Hub as well.
We already do this for our HTTP add-on scaler - https://artifacthub.io/packages/keda-scaler/keda-official-external-scalers/keda-add-ons-http.
This should be contributed to https://github.com/kedacore/external-scalers/tree/master/artifacthub and updated for every release.
Provide integration tests to verify the scaler is working
Provide integration tests to verify the scaler is working so that:
- It calls the endpoint to get the metric value
- Value is compared with what open work is left
Provide Helm chart in KEDA registry
Provide Helm chart in KEDA registry for easy installation.
https://github.com/kedacore/charts
Tasklist
- Introduce Helm chart
- Extend CI to lint the Helm chart
- Update README & installation
- Update release process in this repo to add a step for Helm releases
- Update release process in Helm repo, if required
Azure Functions Support
Expected behavior when implementing this solution is not fully supported when initial container was created from Azure Function using "func kubernetes deploy" or when building native container from mcr azure-function image. Change-Feed Processor does not seem to be configured correctly which prevents solution from scaling appropriately when CosmoDB trigger is executed.
Use-Case
Goal is to perform the following workflow:
- Create Azure Function which triggers on CosmosDB changes
- Leverage Azure Function Core Tools in order to run functions inside of AKS which creates Dockerfile
- Deploy container into AKS and leverage the external ScaledObject via Keda resource
Specification
- Test Azure Functions support with CosmosDB trigger to ensure solution works for this scenario.
- Test and Validate change-feed processor configuration to ensure the metadata process.Name mandatory field has valid entry
Support AAD Pod Identity
Add support for using pod identity binding to access the cosmos db via account endpoint only.
Use-Case
Our cosmos dbs are set up to only use AD for access. We would like to create a role with the access that this scaler will need and use that and the account endpoint for access. We would then not need to have connection strings in configuration.
Update externalscaler.proto to follow protobuf style guidelines
External scaler.proto should follow the style guidelines from here- https://developers.google.com/protocol-buffers/docs/style . This will be a breaking change and needs to be updated as part of major version upgrade.
CVE-2017-0247 (High) detected in system.net.http.4.3.0.nupkg - autoclosed
CVE-2017-0247 - High Severity Vulnerability
Vulnerable Library - system.net.http.4.3.0.nupkg
Provides a programming interface for modern HTTP applications, including HTTP client components that...
Library home page: https://api.nuget.org/packages/system.net.http.4.3.0.nupkg
Path to dependency file: /src/Scaler.Tests/Keda.CosmosDb.Scaler.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.0/system.net.http.4.3.0.nupkg
Dependency Hierarchy:
- xunit.2.4.2.nupkg (Root Library)
- xunit.assert.2.4.2.nupkg
- netstandard.library.1.6.1.nupkg
- ❌ system.net.http.4.3.0.nupkg (Vulnerable Library)
- netstandard.library.1.6.1.nupkg
- xunit.assert.2.4.2.nupkg
Found in HEAD commit: 208c73830a79844b58ff4ae9ee5915696f9d9299
Found in base branch: main
Vulnerability Details
A denial of service vulnerability exists when the ASP.NET Core fails to properly validate web requests. NOTE: Microsoft has not commented on third-party claims that the issue is that the TextEncoder.EncodeCore function in the System.Text.Encodings.Web package in ASP.NET Core Mvc before 1.0.4 and 1.1.x before 1.1.3 allows remote attackers to cause a denial of service by leveraging failure to properly calculate the length of 4-byte characters in the Unicode Non-Character range.
Publish Date: 2017-05-12
URL: CVE-2017-0247
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2017-05-12
Fix Resolution: System.Text.Encodings.Web - 4.0.1,4.3.1;System.Net.Http - 4.1.2,4.3.2;System.Net.Http.WinHttpHandler - 4.0.2,4.5.4;System.Net.Security - 4.0.1,4.3.1;System.Net.WebSockets.Client - 4.0.1,4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4,1.1.3
Step up your Open Source Security Game with Mend here
CVE-2017-0249 (High) detected in system.net.http.4.3.0.nupkg - autoclosed
CVE-2017-0249 - High Severity Vulnerability
Vulnerable Library - system.net.http.4.3.0.nupkg
Provides a programming interface for modern HTTP applications, including HTTP client components that...
Library home page: https://api.nuget.org/packages/system.net.http.4.3.0.nupkg
Path to dependency file: /src/Scaler.Tests/Keda.CosmosDb.Scaler.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.0/system.net.http.4.3.0.nupkg
Dependency Hierarchy:
- xunit.2.4.2.nupkg (Root Library)
- xunit.assert.2.4.2.nupkg
- netstandard.library.1.6.1.nupkg
- ❌ system.net.http.4.3.0.nupkg (Vulnerable Library)
- netstandard.library.1.6.1.nupkg
- xunit.assert.2.4.2.nupkg
Found in HEAD commit: 208c73830a79844b58ff4ae9ee5915696f9d9299
Found in base branch: main
Vulnerability Details
An elevation of privilege vulnerability exists when the ASP.NET Core fails to properly sanitize web requests.
Publish Date: 2017-05-12
URL: CVE-2017-0249
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2017-05-12
Fix Resolution: System.Text.Encodings.Web - 4.0.1,4.3.1;System.Net.Http - 4.1.2,4.3.2;System.Net.Http.WinHttpHandler - 4.0.2,4.3.1;System.Net.Security - 4.0.1,4.3.1;System.Net.WebSockets.Client - 4.0.1,4.3.1;Microsoft.AspNetCore.Mvc - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Core - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Abstractions - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ApiExplorer - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Cors - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.DataAnnotations - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Json - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Formatters.Xml - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Localization - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor.Host - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.Razor - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.TagHelpers - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.ViewFeatures - 1.0.4,1.1.3;Microsoft.AspNetCore.Mvc.WebApiCompatShim - 1.0.4,1.1.3
Step up your Open Source Security Game with Mend here
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.